Merge pull request #7831 from thomasspriggs/tas/fix_havoc_guards

Enrico Steffinlongo · web-flow · commit f868847d0084 · 2023-07-28T11:56:45.000+01:00
Fix havoc guards
diff --git a/regression/cbmc/havoc_choice/main.c b/regression/cbmc/havoc_choice/main.c
@@ -0,0 +1,37 @@
+#include <assert.h>
+#include <stdbool.h>
+
+bool nondet_bool();
+
+int main()
+{
+  char a = 'a';
+  char b = 'b';
+  char c = 'c';
+  char d = 'd';
+
+  char *p =
+    nondet_bool() ? (nondet_bool() ? &a : &b) : (nondet_bool() ? &c : &d);
+
+  __CPROVER_havoc_object(p);
+
+  if(p == &a)
+    assert(a == 'a');
+  else
+    assert(a == 'a');
+
+  if(p == &b)
+    assert(b == 'b');
+  else
+    assert(b == 'b');
+
+  if(p == &c)
+    assert(c == 'c');
+  else
+    assert(c == 'c');
+
+  if(p == &d)
+    assert(d == 'd');
+  else
+    assert(d == 'd');
+}
diff --git a/regression/cbmc/havoc_choice/test.desc b/regression/cbmc/havoc_choice/test.desc
@@ -0,0 +1,19 @@
+CORE new-smt-backend
+main.c
+
+\[main\.assertion\.1\] line \d+ assertion a \=\= \'a\'\: FAILURE
+\[main\.assertion\.2\] line \d+ assertion a \=\= \'a\'\: SUCCESS
+\[main\.assertion\.3\] line \d+ assertion b \=\= \'b\'\: FAILURE
+\[main\.assertion\.4\] line \d+ assertion b \=\= \'b\'\: SUCCESS
+\[main\.assertion\.5\] line \d+ assertion c \=\= \'c\'\: FAILURE
+\[main\.assertion\.6\] line \d+ assertion c \=\= \'c\'\: SUCCESS
+\[main\.assertion\.7\] line \d+ assertion d \=\= \'d\'\: FAILURE
+\[main\.assertion\.8\] line \d+ assertion d \=\= \'d\'\: SUCCESS
+^EXIT=10$
+^SIGNAL=0$
+^VERIFICATION FAILED$
+--
+In the case where __CPROVER_havoc_object is applied to a pointer which points
+to one of a selection of objects, only the one object which it pointed to should
+be reassigned. This test is to cover the specific case where the value of the
+pointer is expressed using nested ternary conditional expressions.
diff --git a/src/goto-symex/symex_other.cpp b/src/goto-symex/symex_other.cpp
@@ -46,11 +46,11 @@ void goto_symext::havoc_rec(
   {
     const if_exprt &if_expr=to_if_expr(dest);
 
-    guardt guard_t=state.guard;
+    guardt guard_t = guard;
     guard_t.add(if_expr.cond());
     havoc_rec(state, guard_t, if_expr.true_case());
 
-    guardt guard_f=state.guard;
+    guardt guard_f = guard;
     guard_f.add(not_exprt(if_expr.cond()));
     havoc_rec(state, guard_f, if_expr.false_case());
   }
@@ -68,7 +68,11 @@ void goto_symext::havoc_rec(
   }
   else
   {
-    // consider printing a warning
+    INVARIANT_WITH_DIAGNOSTICS(
+      false,
+      "Attempted to symex havoc applied to unsupported expression",
+      state.source.pc->code().pretty(),
+      dest.pretty());
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -46,11 +46,11 @@ void goto_symext::havoc_rec(`
`46`	`46`	`{`
`47`	`47`	`const if_exprt &if_expr=to_if_expr(dest);`
`48`	`48`
`49`		`- guardt guard_t=state.guard;`
	`49`	`+ guardt guard_t = guard;`
`50`	`50`	`guard_t.add(if_expr.cond());`
`51`	`51`	`havoc_rec(state, guard_t, if_expr.true_case());`
`52`	`52`
`53`		`- guardt guard_f=state.guard;`
	`53`	`+ guardt guard_f = guard;`
`54`	`54`	`guard_f.add(not_exprt(if_expr.cond()));`
`55`	`55`	`havoc_rec(state, guard_f, if_expr.false_case());`
`56`	`56`	`}`
`@@ -68,7 +68,11 @@ void goto_symext::havoc_rec(`
`68`	`68`	`}`
`69`	`69`	`else`
`70`	`70`	`{`
`71`		`- // consider printing a warning`
	`71`	`+ INVARIANT_WITH_DIAGNOSTICS(`
	`72`	`+ false,`
	`73`	`+ "Attempted to symex havoc applied to unsupported expression",`
	`74`	`+ state.source.pc->code().pretty(),`
	`75`	`+ dest.pretty());`
`72`	`76`	`}`
`73`	`77`	`}`
`74`	`78`